Who Should Infosec Report To?

February 4th, 2010

I’ve been thinking about governance a lot lately, probably since I’ve been working with consulting clients at various stages of security dysfunction, and it has become OBVIOUS that governance plays a big role in how security “gets done”. This is not a new debate – most of us in the security industry have worked at a variety of organizations, some of which report to a genuine CISO or CSO, others who report to a VP of IT or CIO, some who just “float” in the IT department or elsewhere. Here’s my general feeling today, though, and it may come as a surprise to some:

Information Security should not report to IT.

Before the ever-cynical infosec crowd stops reading and throws this out the window, let me explain why I feel this way. Information security really has several key functions to perform – security operations (in whatever capacity that may take), security audit and analysis (could be related to compliance, but also ensuring policy is set and followed), and security-related governance, ie working with the entire organization to ensure information is protected with input from all business units and departments. Did you catch that last part? It’s important.

When infosec reports to IT, it is in essence, aligned with IT. It is tied to IT budgets, politics, reporting constraints, other priorities, etc. This is exactly wrong. With organizations’ data rapidly becoming the most important asset (behind their people, of course), the need to impartially manage the security and risk mitigation of that data should not be tied to IT…nor ANY ONE GROUP. What this means, in the most simple fashion, is that it is time for information security, with or without an official CISO or CSO, to report directly to the CEO and/or the board (preferably the latter). Here are a few common places I see infosec reporting into, and the most obvious pitfalls that relate to this governance/org structure:

CFO/Finance: This is not too common, but I’ve encountered it a few times. The benefit is that you don’t report to IT, so the organization likely recognizes the potential conflict and/or need to separate information security from the larger quagmire that is Information Technology in general. However, CFOs have their own agendas, and although they may align with the organization as a whole in most cases, not always. Sometimes, CFOs can’t see the forest for the trees, and become blindly focused on saving money at all costs. This doesn’t jive with the world of information security, where you may well need budget unexpectedly due to changing threat landscapes.

IT VP/Director/Manager: The most common case. I’ve already explained why this should change, but another point to consider is the mysteriously self-serving nature of IT organizations. Although they talk the talk about “supporting the business”, many IT professionals could honestly care less about business issues, and just want to play with the new toys. Bad, bad, bad for security in so many ways.

Internal Audit (VP/Director): This actually tends to be the most closely aligned with the CEO/BoD in quite a few cases, as the internal audit department usually has some degree of impartiality. However, there’s a big caveat. Many audit departments have compliance at the top of their list, and compliance != security, as we all know. The biggest pitfall here is shortchanging security initiatives when they’re halfway completed since the checkbox is already checked on the auditor’s list.

I’m not much of one for absolutes, in just about anything really, but I am 100% behind this one. We need to see this trend happen – CISOs and CSOs need complete severance from ANY one group in the organization, as they have to work with them all. Closely aligned with much of IT, yes. Under its thumb? Not just no, but hell no.

I think it’s a mistake to take an absolute view on something like this, especially when there are so many other variables that come into play.

What about an organization that relies heavily on its IT infrastructure, where the CIO is more powerful than other VPs, and has an understanding of risks and wants solid advice from the CISO to ensure that assets are protected? I happen to work in an organization like this, and we are much more effective than Compliance (reports directly to the board) and Internal Audit (reports to Finance).

@Rich
Don’t get hung up on this and think I’m saying infosec can’t be effective under IT. Oftentimes, it can. However, why does infosec need a proxy (your CIO)? It needs to be a top-level spot with the CISO completely impartial to the CIO. I am not suggesting the CISO *should* report to other VPs…that’s the point.

The CISO / CSO function is an ASSURANCE Function. They assure the management that Information within the organization is continually protected (C,I,A).

In the current scenario, the CISO generally (99% cases)reports to IT. But other ASSURANCE functions like Risk, Internal Audit, Compliance, Legal do not report to IT. They report to either the CEO or the BOD. Hence in my opinion, the CISO / CSO should be reporting to either the CEO / COO or the BOD.